cat >/root/fix_firewall_ui_ipv4.sh <<'EOS'
#!/bin/sh
set -e

FW=/etc/config/firewall
BK=/root/firewall.bak.$(date +%Y%m%d-%H%M%S)
TMP=/tmp/firewall.new.$$

echo "==> 备份 $FW -> $BK"
cp -a "$FW" "$BK"

# --- 基础 IPv4 配置，与截图一致 ---
cat >"$TMP" <<'FW'
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option fullcone '2'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wg'
        list network 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'ipsecserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'ipsec_server'

config zone
        option name 'wan'
        list network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'wan'

# ---- 仅 IPv4 的常用规则 ----
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'
FW

# --- 按存在情况保留 include ---
if [ -f /var/etc/ipsecvpn.include ]; then
  cat >>"$TMP" <<'FW'
config include 'luci_app_ipsec_server'
        option type 'script'
        option path '/var/etc/ipsecvpn.include'
        option reload '1'
FW
fi

if [ -f /var/etc/openclash.include ]; then
  cat >>"$TMP" <<'FW'
config include 'openclash'
        option type 'script'
        option path '/var/etc/openclash.include'
        option reload '1'
FW
fi

if [ -f /var/etc/shadowsocksr.include ]; then
  cat >>"$TMP" <<'FW'
config include 'shadowsocksr'
        option type 'script'
        option path '/var/etc/shadowsocksr.include'
        option reload '1'
FW
fi

# --- 覆盖生效 ---
mv "$TMP" "$FW"
uci commit firewall
/etc/init.d/firewall restart
rm -rf /tmp/luci-* 2>/dev/null || true
/etc/init.d/uhttpd reload 2>/dev/null || true

echo "==> 完成。关键项："
uci show firewall | egrep "(=zone|\.name=|\.network=|=forwarding|\.src=|\.dest=|masq|mtu_fix)"
echo "备份文件：$BK"
EOS

chmod +x /root/fix_firewall_ui_ipv4.sh
sh /root/fix_firewall_ui_ipv4.sh